EU Commission Sued For Violating Its Own Data Protection Rules
from the if-even-the-bureaucrats-can't-comply... dept
We’ve highlighted for years the problems with the data protection regime in the EU, mainly the GDPR, but other aspects as well. The underlying idea — that people have a right to have their data protected — may seem sound and logical, but in practice it’s generally been a total mess*, that has likely caused much more harm than its solved. We recently wrote about the surprising news that the EU’s top data protection official was finally admitting that the GDPR really hasn’t worked out the way anyone expected, which was so surprising since it’s become important for EU “data protection” experts to prop up the myth that the GDPR has been a success.
Of course, rather than recognize that it’s the entire framework of the GDPR that is the problem, the official insisted that the real problem was not enough enforcement by data protection authorities. Basically “it’s not the law that’s wrong, it’s the fact that we haven’t punished more companies.” The logic there could make sense if the real problem were that companies don’t actually care about how they make use of our data (which may be true in some cases, but actually seems much rarer than most people believe).
But, that belief that more enforcement is the answer starts to look a lot more questionable when the actual issue might be that the rules and the framework of the GDPR are impossible to comply with.
And, just to put an exclamation point on that, the EU Commission itself has now been sued for violating its data protection rules. This is not technically the GDPR, as (of course) the Commission is exempt from the GDPR itself, but does have other, mostly similar, data protection rules it must follow.
The litigation regards the website of the Conference of the Future of Europe, a conference meant to engage EU citizens in deciding the future of the bloc and its member states.
Amazon Web Services host the website, hence when registering for the event, personal data such as the IP address is transferred to the United States.
Moreover, the Commission’s website also allows users to log in via their Facebook accounts. The US-based social media has also been challenged for illegally transferring personal data to the US, and a complaint in this regard is currently being looked into by the Irish Data Protection Commissioner.
As the European Commission is the website’s operator, the plaintiff asked for information on how personal data is processed in two inquiries. According to the lawsuit, one of the inquiries was answered incompletely, and the other was not answered at all, violating the information rights under the data protection law.
There are a few things to comment on here. First, the underlying issue is the failure of the successive EU/US agreements on data sharing/transfers, which, as we’ve noted, really has a single issue at the crux: the NSA’s spying on the internet. The US could fix all that by stopping such overly intrusive mass surveillance, but instead has basically hung the US internet sector out to dry by pretending the real problem is their data protection practices (which are often way better than just about any other industry).
But, as it stands, right now it’s effectively a violation of EU data protection laws to use the most widely used American internet services.
The second, more important point, is that this (once again) shows how the problem is not necessarily the lack of enforcement, but rather the ridiculous nature of the framework, in which no one can actually comply with the rules in a reasonable manner. Even the EU Commission itself.
And this isn’t the first time this kind of thing has been pointed out. Soon after the GDPR went into effect, people noticed that the EU Parliament’s own website likely violated the law.
This should lead people to recognize that maybe the framework we have here is wrong. The issue isn’t that we need more fines and more aggressive enforcement — because all that does is drive up compliance costs on a system that is impossible to fully comply with no matter what anyone does. And the biggest companies can easily pay off these fines.
For everyone else: you’re basically screwed. Anyone who wants to cause trouble for basically anyone with a website in the EU can find some way in which a website is not in compliance and then basically create a huge hassle for them.
Should we find better ways for people to keep their data safe and away from misuse? Absolutely. Is that answer to create a cumbersome, impossible to comply with, system of confusing laws that requires expensive lawyers to constantly give you non-committal answers on how to minimize your risk? It doesn’t seem like it. Is the answer to make sure that no one in the EU can actually make use of useful online services? Also doesn’t seem like it.
There has to be a better way. But, rather than look for the better way, so many people seem content with assuming that this is the way things have to be done: by creating ridiculously complex laws that basically make it legally risky to have a website. And, of course, it’s spreading. In many ways, the California privacy law is modeled on a similar framework to the GDPR and has already created messes for businesses in California. And other states are looking to do the same.
The very fact that the EU Commission itself can’t comply should be seen as a flashing warning sign that the problem is the framework of the law.
* For what it’s worth, every time I write about the GDPR, “data protection” experts in the EU get furious with me. But none have ever been able to explain how this setup makes any sense or how whatever benefits they insist accrue as a result of this regime outweigh the very obvious problems (which they rarely seem willing to acknowledge).
Filed Under: compliance, data protection, eu, eu commission, gdpr, privacy shield
Comments on “EU Commission Sued For Violating Its Own Data Protection Rules”
That may not be true. Services on AWS can be configured to only store data in given regions, so in this case its European data centers.
Re:
In comes the CLOUD act, making any regional difference obsolete.
Re: Re:
The Cloud is server-based, rendering your flip comment moot.
Do you want a cookie?
I only care about their failure to arrange a reasonable standard and methods to deal with cookie pop-ups.
They could have worked to develop a standard to set up your preferences once in the browser of your choice and not a unskippable pop-up every time you visit a site with expired cookies, but no.
They rather bother me every day with something completely unnecessary in these times, we got the technology to make a reasonable choice that do not cause disruption to your experience.
Just lazy work, really.
Re:
There is a standard for that. It’s called cookies. When they aren’t allowed to use cookies (read know anything about you) without a valid cookie to indicate you’ve already consented … then they have to give you the popup.
Re: Re:
No, they don’t. Sites choose to. It would be perfectly legal to just not store anything about anyone without explicit permission—and a cookie would be a fine way to store this permission.
Implicit permission is also valid. If you log in, you don’t need to specifically consent to a resulting session cookie (as long as it goes away when you log out). If you click “always show this site in English”, they’re free to store a “lang=en” cookie. I’m not aware of any site that’s gotten in trouble for something like this.
The cookie banners are mostly malicious compliance, to trick the public into “agreeing” to things. It’s bad for security as well as privacy; a family member was getting “you have a virus” popups when starting Chrome, and I found out they’d agreed to let some unknown site show persistent notifications. Because sites “won’t work unless I click OK”. (Luckily, Chrome’s default of “ask” can be changed to “never allow”.)
Re: Re: Re:
^This. Because I live in the UK, I’m forever getting these pop-ups, and unless they say Decline all, I just ignore them.
Re: A popup trick
you can erase tons of things including all your passwords to each site.
But how big of a book do you want to carry, with all your passwords, esp. when you have a different one for each site.
RECENTLY,
A YT Broadcaster had to apologize for being late on Video’s. 1 Of his accounts was hacked and come to find out, 2 of his accounts with his name, had the SAME passwords. Say hello Amazon. The Corrections took about a week to debate it out.
THEN do you really want a program on your machine to HOLD ALL of your passwords. 1 Such company got hacked, and found the Names and password for the users, and USED those entered into the program to FIND ALL of each USERS passwords.
GET A BOOK, MAKE DIFFERENT ONES EVERYPLACE… EVEN USE DIFFERENT NAMES for the accounts. Only the Bank details need the real names.
EU Commission Sued For Violating Its Own Data Protection Rules
Mike, no. As you said yourself, the EU Commission is exempt from the GDPR. Careful reading of your article instead reveals that what is actually being sued over is the EU Commission’s violation of Freedom of Information rules in regard to a request for data as to whether or not it allowed American companies to collect the data of EU countries’ citizens.
Re:
The title doesn’t specify which data protection rules were violated.
Re: Re:
Headline of the article:
EU Commission Sued For Violating Its Own Data Protection Rules
The first sentence of the article:
We’ve highlighted for years the problems with the data protection regime in the EU, mainly the GDPR, but other aspects as well.
So Mike was indeed heavily implying that the EU Commission was violating the GDPR before revealing the fact that they’re not bound by it later in the article. It’s only by careful reading that someone can glean what the article is actually about, which may reveal those without good reading comprehension, but the headline and first sentence put together make for rather lazy journalism.
Re: Re: Re:
Techdirt is no entertainment site, careful reading should be the default. I don’t see anything wrong with the writing style. Mike gently paves the way to the point by reiterating a few facts relating to privacy legislation in the EU. It’s a common pattern here, I often see it used by Karl Bode.
Re: Re: Re:2
The issue here is that not eveeyone has the time or ability for extremely careful parsing of the articles, and because I’m dyslexic, careful parsing of Mike’s article would have taken me hours, something nobody has time for. That’s why I’m grateful to Autie for their clear explanation of what the article is actually about. As for Karl Bode having a similar style, that’s true, but he’s never begun with an easily misread implication that I can recall.
Re:
I’m confused. You say “no” as if I got it wrong, and in your very next sentence you admit I got it right.
I never said they violated the GDPR. I specifically noted that they were exempt.
So, what did I get wrong?
Re: Re:
Read my follow-up comment and it will become clear.
Re: Re:
Oh, wow. Given how much later you posted this comment after Autie posted their second one, you’re in no position to criticize others for lack of reading comprehension.
Do what we say, not what we do
This is not technically the GDPR, as (of course) the Commission is exempt from the GDPR itself, but does have other, mostly similar, data protection rules it must follow.
‘This law is so important and easy to follow that we made sure we didn’t have to.’
First off, stop calling it your data. You’re on someone else’s property–looking around, buying stuff, whatever–as either a customer or just a window-shopper. Everything you do, say, see, or buy… that’s all their data as much as anyone’s. If you don’t understand that, then you’re an idiot.
Re: Ownership Crux
It’s all about who owns what data and what can be done with it, and the unprecedented ease with which it can be done.
My doctor, for example, is bound to keep her records of me confidential, so we say they are “my” records.
Re:
First off, stop calling it <>your<> data. You’re on NHS property – getting a blood test, receiving a prescription, whatever – as either a patient or just the parent of one. Everything you do, say, see, or receive… that’s all their data as much as anyone’s, right? If you don’t understand the similarity between online data and medical information, then you’re an ignoramus.
Re: Re:
Actually, as a taxpayer, I help pay for the N.H.S. So, the N.H.S. properties actually belong to the taxpayer.
So it IS my data.
Re: Re: Re:
*whooosh*
Re: Re: Re:
Incorrect. It’s not your data because you paid for it, it’s your data because it’s about you. Benefits recipients, pensioners, and children aren’t required to pay all the taxes that fund the NHS, but their medical information also belongs to them.
While the nitty-gritty details of the law may be complex (like any law), the high-level requirement to comply with the law are pretty fucking simple:
1) only collect data you absolutely need to provide the service;
2) don’t include libraries in your website that collect user data in breach of point 1, e.g., Google Analytics, directly sourced Facebook ‘like’ buttons, using Facebook as a login mechanism;
3) if you don’t know what a random library you are including in your website does, don’t fucking include it;
4) for data under point 1, ensure the method to collect it and the storage of it remains within the EU;
5) if you are willing to do more work, then expand 4 to include a country/foreign company that has the appropriate data sharing agreements in place (but easier to just stick under point 4);
6) if you do decide to collect extra data, then it is your choice to have to go through the extra rigmarole of appropriately obtaining informed consent;
7) if you undertake point 6, you are choosing to engage in ensuring whatever process you use to collect the data (e.g. Google Analytics) complies with 4, 5, and 6;
8) just don’t do 5 and 6 if you aren’t prepared to go through the extra liability and due diligence processes;
9) know how your website works;
10) if the purpose of your website is to monetize user data, fuck off;
11) if any of the above is ‘too hard’ you are in the wrong fucking business.
And you have to have a system where users can see exactly what data you collect on them , which is not much to ask.
I would love.
To see Amazon, YT and others SUE themselves. JUST to get the ball rolling.
Then Back a 2nd company to do a security check on ALL EU gov. sites. Including schools.
WOULD LOVE to see the reaction. IF Google even ASKED if they could do this FOR THEM FREE.
I was referring to US legislation: CLOUD Act.
A big German hosting service even has a whitepaper dedicated to it, showing it’s a real concern and legal uncertainty created by GDPR is high.
Re:
Fair enough, I’m sorry I called your comment flip. That link would have helped if you’d posted it when first talking about the CLOUD Act, though. As it was, it looked like the kind of incorrect capitalization I’ve seen so often on this site.